[Snort-devel] Rules with threshold don't work in inline mode

Eric Leblond eric at ...3013...
Sat Feb 28 05:13:30 EST 2009


A design problem causes a failure in the handling of rules with
threshold and drop decision which are dropping all the packets.

When doing some test of inline mode, I've encountered a problem with the
following rule:
drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SSH Scan"; flags:S;
threshold: type threshold, track by_src, count 5, seconds 120;
classtype: attempted-recon; r sid: 2001219; rev:16;)

The rule is blocking all SYN packets to port 22 because of the following
lines in fpdetect.c:

if( !sfthreshold_test( otn->event_data.sig_generator, ...)) {
** If InlineMode is on, then we still want to drop packets
** that are drop rules. We just don't want to see the alert.
		if(rtn->type == RULE_DROP || rtn->type == RULE_SDROP)
	return 1; /* Don't log it ! */

The problem is that for every packet but the fith one (in a 120 sec
delay), sfthreshold_test() return 0 to avoid logging and the packet get

Thus in inline mode, any rule using a threshold and a drop decision is
dropping every packets.

I've tried to fix this but the code modifications have to be done deep
into the threshold subsystem (each function return has to be carefully
choosen, and no ! operator can be used).

As I'm not familiar with the code, there may be an easier solution. Any
tips or help are welcome.

Eric Leblond <eric at ...3013...>
INL: http://www.inl.fr/
NuFW: http://www.nufw.org/

More information about the Snort-devel mailing list